AKIBIA'S PRACTICAL GUIDE TO ENTERPRISE TECHNOLOGY
Wednesday, May 06, 2009
PCI DSS v1.2 and its Requirement from WEP to WPA Wireless Encryption
Although PCI SSC changed the wireless security standards 6 months ago with the release of PCI DSS v1.2, many merchants are still using WEP in the storage, processing or transmission of credit card information.
The following changes were identified in the new standards in regards to Wireless technology:
- Merchants are no longer permitted to deploy any new Wired Equivalent Privacy (WEP) networks.
- Merchants using WEP networks must transition to Wi-Fi Protected Access (WPA) security no later than June 30, 2010.
- Wireless must be implemented using strong encryption for authentication and transmission. The PCI council referenced to IEEE 802.11i as an example.
The days of applying compensating controls to address the inherent weaknesses with WEP are in the past.
For smaller networks, a WPA network and 802.1 x authentications may be straight forward to implement. In some cases, however, the work may require major infrastructure changes and upgrades to possible payment applications.
What can you do next?
Companies need to develop a phased approach to the planning, execution and implementation of a successful wireless (WPA) upgrade and/or rollout.
Some of the keys steps include the following:
- Determine what infrastructure equipment (Controllers, AP’s) are compatible for quick upgrade to WPA
- Identify and consult with hardware manufacturers on non-WPA capable devices
- Make sure your wireless devices, such as laptops and PDA’s are also compatible
- Create a “rollout” strategy by testing the new WPA wireless network first before going into production
- A third party assessment may prove cost effective
Many QSA’s have seen this on the PCI Security Standards line card for some time. The council has set a clear deadline as June 2010. Are you ready?
